Presentations

Top 10 Java Defenses for Website Security

by Jim Manico

Do not build your own web application security controls from scratch!
This presentation describes the use of several OWASP, Apache and Google
open source Java projects that are essential tools to help you construct
a secure web applications.

From the Trenches: Real-World Agile SDLC

by Chris Eng & Ryan O’Boyle
Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise. In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.

In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project. We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers

Jim Manico is the VP of Security Architecture for WhiteHat Security, a web and application security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a 20 year history building software as a developer and architect. Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects.
For more information, see http://www.linkedin.com/in/jmanico.

Chris Eng is Vice President of Research at Veracode. Chris is a sought after speaker at industry conferences, and has presented at events such as BlackHat, RSA, OWASP, and CanSecWest. In addition to presenting on a diverse set of application security topics, including cryptographic attacks, testing methodologies, mobile application security, and security metrics, Chris frequently comments on software security trends for media outlets worldwide. Throughout his career at organizations such as NSA, @stake, and Veracode, Chris has led projects breaking, building and defending software

Ryan O’Boyle

Ryan O’Boyle is a Principal Security Researcher at Veracode, and a certified ScrumMaster. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments, where he was focused not only on finding vulnerabilities but helping engineers fix them and avoid them altogether.